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. Abstract 



We study the convergence problem in fully asynchronous, uni-dimensional robot net- 
works that are prone to Byzantine (i.e. malicious) failures. In these settings, oblivious 
■ anonymous robots with arbitrary initial positions are required to eventually converge to 

C/3 I an a apriori unknown position despite a subset of them exhibiting Byzantine behavior. 

^ O ^ ■ Our contribution is twofold. We propose a deterministic algorithm that solves the problem 

in the most generic settings: fully asynchronous robots that operate in the non-atomic 
CORDA model. Our algorithm provides convergence in 5/ -I- 1-sized networks where / is 
^ I the upper bound on the number of Byzantine robots. Additionally, we prove that 5/ -I- 1 is 

a lower bound whenever robot scheduling is fully asynchronous. This constrasts with pre- 
vious results in partially synchronous robots networks, where 3/ -I- 1 robots are necessary 
and sufficient. 

Keywords: Robots networks, Byzantine tolerance. Asynchronous systems, Conver- 
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1 Introduction 

^ ' The use of cooperative swarms of weak inexpensive robots for achieving complex tasks such 

■ as exploration or tracking in dangerous environments is a promising option for reducing 

both human and material costs. Robot networks recently became a challenging research 
area for distributed systems since most of the problems to be solved in this context (e.g. 
coordination, agreement, resource allocation or leader election) form the core of distributed 
computing. However, the classical distributed computing solutions do not translate well due 
to fundamentally different execution models. 

In order to capture the essence of distributed coordination in robot networks, two main 
computational models are proposed in the literature: the ATOM [10] and CORDA [9] models. 
The main difference between the two models comes from the granularity for executing a Look- 
Compute-Move cycle. In such a cycle, the Look phase consists in taking a snapshot of the 
other robots positions using its visibility sensors. In the Compute phase a robot computes 
a target destination based on its previous observation. The Move phase simply consists in 
moving toward the computed destination using motion actuators. In the ATOM model, the 
whole cycle is atomic while in the CORDA model, the cycle is executed in a continuous 
manner. That is, in the ATOM model, robots executing concurrently always remain in the 
same phase while in CORDA it is possible that e.g. a robot executes its Look phase while 
another robot performs its Move phase, or that a robot executes its Compute phase while its 
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view (obtained during the Look phase) is already outdated. Of course, executions that may 
appear in the CORDA model arc a strict superset of those that may appear in the ATOM 
model, so a protocol that performs in the CORDA model also works in the ATOM model, 
but the converse is not true. Similarly, impossibility results for the ATOM model still hold 
in the CORDA model. Complementary to the granularity of robots action is the amount of 
asynchrony in the system, that is modeled by the scheduler: (i) a fully synchronous scheduler 
operates all robots in a lock-step manner forever, while (ii) a A;-bounded scheduler preserves 
a ratio of k between the most often activated robot and the least often activated robot, finally 
(Hi) a fully asynchronous scheduler only guarantees that every robots is activated infinitely 
often in an infinite execution. The robots that we consider have weak capacities: they are 
anonymous (they execute the same protocol and have no mean to distinguish themselves from 
the others), oblivious (they have no memory that is persistent between two cycles), and have 
no compass whatsoever (they are unable to agree on a common direction or orientation). 

Convergence is a fundamental agreement primitive in robot networks and is used in the 
implementation of a broad class of services {e.g. the construction of common coordinate 
systems or specific geometrical patterns). Given a set of oblivious robots with arbitrary 
initial locations and no agreement on a global coordinate system, convergence requires that 
all robots asymptotically approach the same, but unknown beforehand, location. Convergence 
looks similar to distributed approximate agreement since both problems require nodes to agree 
on a common object (that is instantiated to be a position in space for the case of convergence, 
or a value in the case of distributed agreement). 

Related works Since the pioneering work of Suzuki and Yamashita [10], gathering^ and 
convergence have been addressed in fault-free systems for a broad class of settings. Prencipe [9] 
studied the problem of gathering in both ATOM and CORDA models, and showed that 
the problem is intractable without additional assumptions such as being able to detect the 
multiplicity of a location (i.e., knowing if there is more than one robot in a given location). 

The case of fault-prone robot networks was recently tackled by several academic studies. 
The faults that have been investigated fall in two categories: crash faults {i.e. a faulty 
robots stops executing its cycle forever) and Byzantine faults {i.e. a faulty robot may exhibit 
arbitrary behavior and movement). Of course, the Byzantine fault model encompasses the 
crash fault model, and is thus harder to address. Deterministic fault-tolerant gathering 
is addressed in [2] where the authors study a gathering protocol that tolerates one crash, 
and an algorithm for the ATOM model with fully synchronous scheduling that tolerates up 
to / byzantine faults, when the number of robots is (strictly) greater than 3/. In [6] the 
authors study the feasibility of probabilistic gathering in crash-prone and Byzantine-prone 
environments. Deterministic fault-tolerant convergence was first addressed in [4, 5], where 
algorithms based on convergence to the center of gravity of the system are presented. Those 
algorithms work in the ATOM [4] and CORDA [5] models with a fully asynchronous scheduler 
and tolerate up to / (n > /) crash faults, where n is the number of robots in the system. 
Most related to this paper are [1, 3], where the authors studied convergence in byzantine- 
pronc environments when robots move in a uni-dimensional space. In more details, [1] showed 
that convergence is impossible if robots are not endowed with strong multiplicity detectors 
which are able to detect the exact number of robots that may simultaneously share the same 

^Gathering requires robots to actually reach a single point within finite time regardless of their initial 
positions. 
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Reference 


Computation Model 


Scheduler 


Bounds 


[2] 


ATOM 


fully synchronous 


n>3/ 


[1] 


ATOM 


fully synchronous 


n>2f 




ATOM 


/c-bounded 


n>3f 




CORD A 


A;-bounded 


n>4:f 


[3] 


CORDA 


/c-boundcd 


n>3f 


This paper 


CORDA 


fully asynchronous 


n > 5/ 



Table 1: Byzantine resilience bounds for deterministic convergence 



location. The same paper defines the class of cautious algorithms which guarantee that correct 
robots always move inside the range of positions held by correct robots, and proved that any 
cautious convergence algorithm that can tolerate / Byzantine robots requires the presence of 
at least 2/ + 1 robots in fully-synchronous ATOM networks and 3/ + 1 robots in /c-bounded 
(and thus also in fully asynchronous) ATOM networks. The lower bound for the ATOM 
model naturally extends to the CORDA model, and [3] provides a matching upper bound in 
the fe-bounded CORDA model. 

Interestingly enough, all previously known deterministic Byzantine tolerant robot pro- 
tocols assume either the more restrictive ATOM model [6], or the constrained fully syn- 
chronous [2] or A;-bounded [1, 3] schedulers, thus the question of the existence of such protocols 
in a fully asynchronous CORDA model remains open. 

Our contribution We present the first study of Byzantine resilient robot protocols that 
considers the most general execution model: the CORDA model together with the fully 
asynchronous scheduler. We concentrate on the convergence problem and prove that the 
fully asynchronous scheduler implies a lower bound of 5/ -|- 1 for the number n of robots 
for the class of cautious protocols (this bound holds for both ATOM and CORDA models). 
We also exhibit a deterministic protocol that matches this lower bound (that is, provided 
that n > 5/ -I- 1, our protocol is determinstic and performs in the CORDA model with 
fully asynchronous scheduling). Table 1 summarizes the characteristics of our protocol with 
respect to previous work on Byzantine tolerant robot convergence (better characteristics for 
a protocol are depicted in boldface). 

Outline The remaining of the paper is organized as follows: Section 2 presents our model 
and robot network assumptions. This section also presents the formal specification of the 
convergence problem. Section 3 presents the byzantine resilience lower bound proof. Sec- 
tion 4 describes our protocol and its complexity, while concluding remarks are presented in 
Section 5. 

2 Model and Problem Definition 

Most of the notions presented in this section are borrowed from[10, 8, 2]. We consider a 
network that consists of a finite set of robots arbitrarily deployed in a uni-dimensional space. 
The robots are devices with sensing, computing and moving capabilities. They can observe 
(sense) the positions of other robots in the space and based on these observations, they 
perform some local computations that can drive them to other locations. 
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In the context of this paper, the robots are anonymous, in the sense that they can not be 
distinguished using their appearance, and they do not have any kind of identifiers that can be 
used during the computation. In addition, there is no direct mean of communication between 
them. Hence, the only way for robots to acquire information is by observing their positions. 
Robots have unlimited visibility, i.e. they are able to sense the entire set of robots. Robots are 
also equipped with a strong multiplicity sensor that provides robots with the ability to detect 
the exact number of robots that may simultaneously occupy the same location. We assume 
that the robots cannot remember any previous observation nor computation performed in 
any previous step. Such robots are said to be oblivious (or memoryless). 

A protocol is a collection of n programs, one operating on each robot. The program of 
a robot consists in executing Look- Compute- Move cycles infinitely many times. That is, the 
robot first observes its environment (Look phase). An observation returns a snapshot of the 
positions of all robots within the visibility range. In our case, this observation returns a snap- 
shot (also called configuration hereafter) of the positions of all robots denoted with P{t) = 
{P\{t), ...,Pn{t)}. The positions of correct robots are referred as U{t) = {Ui{t), ...,Um{t)} 
where m denotes the number of correct robots. Note that U{t) C P{t). The observed po- 
sitions are relative to the observing robot, that is, they use the coordinate system of the 
observing robot. We denote by P^{t) = {Pl{t), P^{t)} the configuration P{t) given in 
terms of the coordinate system of robot i {W^it) is defined similarly). Based on its observa- 
tion, a robot then decides — according to its program — to move or to stay idle (Compute 
phase). When a robot decides a move, it moves to its destination during the Move phase. An 
execution e = (cq, . . . , q, . . .) of the system is an infinite sequence of configurations, where cq 
is the initial configuration^ of the system, and every transition Cj — > q+i is associated to the 
execution of a subset of the previously defined actions. 

A scheduler is a predicate on computations, that is, a scheduler defines a set of admissible 
computations, such that every computation in this set satisfies the scheduler predicate. A 
scheduler can be seen as an entity that is external to the system and selects robots for 
execution. As more power is given to the scheduler for robot scheduling, more different 
executions are possible and more difficult it becomes to design robot algorithms. In the 
remaining of the paper, we consider that the scheduler is fully asynchronous, that is, in any 
infinite execution, every robot is activated infinitely often, but there is no bound for the ration 
between the most activated robot and the least activated one. 

We now review the main differences between the ATOM [10] and CORDA [8] models. 
In the ATOM model, whenever a robot is activated by the scheduler, it performs a full 
computation cycle. Thus, the execution of the system can be viewed as an infinite sequence 
of rounds. In a round one or more robots are activated by the scheduler and perform a 
computation cycle. The fully- synchronous ATOM model refers to the fact that the scheduler 
activates all robots in each round, while the regular ATOM model enables the scheduler to 
activate only a subset of the robots. In the CORDA model, robots may be interrupted by 
the scheduler after performing only a portion of a computation cycle. In particular, phases 
(Look, Compute, Move) of different robots may be interleaved. For example, a robot a may 
perform a Look phase, then a robot b performs a Look-Compute-Move complete cycle, then 
a computes and moves based on its previous observation (that does not correspond to the 
current configuration anymore). As a result, the set of executions that are possible in the 

^Unless stated otherwise, we make no specific assumption regarding the respective positions of robots in 
initial configurations. 
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CORDA model are a strict superset of those that are possible in the ATOM model. So, an 
impossibility result that holds in the ATOM model also holds in the CORDA model, while 
an algorithm that performs in the CORDA model is also correct in the ATOM model. Note 
that the converse is not necessarily true. 

The faults we address in this paper are Byzantine faults. A byzantine (or malicious) robot 
may behave in arbitrary and unforeseeable way. In each cycle, the scheduler determines the 
course of action of faulty robots and the distance to which each non-faulty robot will move 
in this cycle. However, a robot i is guaranteed to move a distance of at least 6i towards its 
destination before it can be stopped by the scheduler. 

Our convergence algorithm performs operations on multisets. A multiset or a bag S 
is a generalization of a set where an element can have more than one occurrence. The 
number of occurrences of an element a is referred as its multiplicity. The total number of 
elements of a multiset, including their repeated occurrences, is referred as the cardinality and 
is denoted by IS*]. min(S')(resp. max(S')) is the smallest (resp. largest) element of S. If S is 
nonempty, range{S) denotes the set [min(5'), max(S')] and diam{S) (diameter of S) denotes 
max(S') — min(S'). 

Given an initial configuration of n autonomous mobile robots (m of which are correct such 

that m > n — /), the point convergence problem requires that all correct robots asymptotically 
approach the exact same, but unknown beforehand, location. In other words, for every e > 0, 
there is a time t^ from which all correct robots are within distance of at most e of each other. 

Definition 2.1 (Byzantine Convergence) A system of oblivious robots satisfies the Byzan- 
tine convergence specification if and only if \/e > 0,3t^ such that \/t > t^, \li,j < m, 
distance{Ui{t),Uj{t)) < e, where Ui{t) and Uj{t) are the positions of some correct robots i 
and j at time t, and where distance{a,b) denote the Euclidian distance between two positions. 

Definition 2.1 requires the convergence property only from the correct robots. Note that 
it is impossible to obtain the convergence for all robots since Byzantine robots may exhibit 
arbitrary behavior and never join the position of correct robots. 

3 Impossibility for n < 5/ and a fully asynchronous scheduler 

In this section we prove the fact that, when the number of robots in the network does not 
exceed 5/ (with / of those robots possibly being Byzantine), the problem of Byzantine resilient 
convergence is impossible to solve under a fully asynchronous scheduler. The result is proved 
for the weaker ATOM model, and thus extends to the CORDA model. 

Our proof is based on a particular initial setting from which we prove that no cautious 
convergence algorithm is possible if the activation of robots is handled by a fully asynchronous 
scheduler. Consider a network N of n robots placed on a line segment [A, B], f of which may 
be Byzantine with n < 5/. We consider that robots are ordered from left to right. This order 
is only given for ease of presentation of the proof and is unknown to robots that can not use it 
in their algorithms. It was proved in [1] that the problem is impossible to solve when n < 3/, 
we thus consider here the case when 3f < n < 5f only. The initial placement of correct 
robots is illustrated in Figure 1: / robots are at location A, f others robots are at location 
B and the remaining m — 2/ ones are located at some intermediate location between A and 
B. The impossibility proof depends on the ability of the adversary to move these m — 2f 
robots along [A, B], so their position is denoted by a variable X, with X belonging to interval 
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{A, B). In the following, these three groups of robots located at A, B and X will be referred 
as Set A, SetB and SetX respectively. The positions of the Byzantine robots are determined 
by the adversary. 

AX B 

Figure 1: Robot Network N (Configuration Ci) for (n = 9, / = 2) 

We show by contradiction that in these conditions, no cautious convergence algorithm is 

possible. Assume that there exists a cautious convergence algorithm P that is correct when 
the robots are activated by a fully asynchronous scheduler, then we show that in this setting, 
any cautious algorithm P satisfies properties that can by used by the adversary to prevent 
convergence of P, which is a contradiction. 

The properties satisfied by all cautious protocols are captured in the following two basic 
facts: 

• Fact 1: If all Byzantine robots are inside [A,X] (resp. [X, S]) then when robots of 

SetA (resp. SetB) are activated, their calculated destination points are necessarily 
inside -'^j (resp. [X, i?]). This fact is proved by Lemma 3.1. 

• Fact 2: The adversary is able to move the robots of SetX as close as desired to location 
A (resp. B). This is proved by Lemmas 3.2, 3.3 and 3.4. 

Based on this, the adversary first moves the robots of SetX very close to A (using Fact 
2) and then activates the robots of SetA that remain in the neighborhood of A (due to Fact 
1). Afterward, it moves the intermediate robots of SetX very close to B (using Fact 2) and 
activates the robots of SetB which also remain in the neighborhood of B (due to Fact 1). 
By repeating these actions indefinitely, the adversary ensures that every robot is activated 
infinitely often in the execution yet prevents convergence at the same time since robots at A 
and B remain always arbitrarily close to their initial positions and never converge. 

In the following, we prove Factl and Fact2 by a sequence of lemmas, and then give a 
formal presentation of the algorithm used by the adversary to prevent any cautious protocol 
from achieving convergence. 

Lemma 3.1 InN, VX € {A,B), if all Byzantine robots are inside [A,X] (resp. [X,B]) then 
when robots of SetA (resp. SetB) are activated, their destination points computed by any 
cautious algorithm are necessarily inside [A,X] (resp. [X,B]). 

To prove Fact2, we use the network N described above (see Figure 1). We prove only the 
capability of the adversary to move the intermediate robots at X as close as wanted to B, 
the other case being symmetric. Fact2 implies that if the number of robots in the network is 
lower or equal to 5/ then it always exists a judicious placement of the Byzantine robots that 
permits the adversary to make the intermediate robots in X move in the direction of B up 
to a location that is as close as desired to B. We divide the analysis in two cases depending 
on the parity of {n — f). 
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Case 1: (n — /) is even To push the robots of SetX as close to A or B as wanted, 
the adversary uses algorithm GoToBorderl (G2B1) described as Algorithm 1. Informally, 
the algorithm divides Byzantines robots between position X and the target border to which 
the adversary wants to push the robots of SetX {e.g. B in what follows). The aim of the 
adversary is to maintain the same number of robots in X and B (this is possible because 
n — f \s even). We prove that in this case, any cautious convergence algorithm makes the 
robots of SetX move towards B. However, the distance traveled by them may be too small to 
bring them sufficiently close to B. Since the scheduler is fully asynchronous, it is authorized 
to activate the robots of SetX as often as necessary to bring them close to B, as long as it 
does so for a finite number of times. 

Algorithm 1 GtjToBordcrl (G2B1) 

Input: Border: the border towards which robots of SetX move (equal to A or B). 
Input: d: a distance. 

Actions: 

while distance{X , Border) > d do 

Place (n — 3/)/2 byzantine robots at Border. 

Place (5/ — n)/2 byzantine robots at X. 

Activate simultaneously all robots of SetX and make them move to their computed destination 
D. 

X ^ D 
end while 



Lemma 3.2 If{n—f) is even, Vd < distance{A, B), ^Border G A, B, algorithm G2Bl{Border, d) 
terminates. 

Case 2: (n — /) is odd To prove Lemma 3.2, we relied on the symmetry induced by 
the placement of Byzantine robots. This symmetry is possible only because (n — /) is even. 
Indeed, having the same number of robots in B and X implies that convergence responsibility 
is delegated to both robots at X and at B (there is no asymmetry to exploit to get one of these 
two groups play a role that would be different from the other group. Robots of SetX and 
SetB have thus no other choice but to move toward each other when they are activated. The 
distance traveled at each activation must be large enough to ensure the eventual convergence 
of the algorithm. 

However, the situation is quite different when (n — /) is odd. Indeed, the number of 
robots is necessarily different in X and B, which means that one of the two points has a 
greater multiplicity than the other. Then in this case there is no guarantee that a cautious 
convergence algorithm will order the robots of SetX to move toward B when they are activated 
(the protocol could delegate the convergence responsibility to robots of SetB). Nevertheless, 
we observe that whatever the cautious algorithm is, if it docs not move the robots that are 
located at the greatest point of multiplicity, it nnist do so for those at the smallest one (and 
vice versa), otherwise no convergence is ever possible. The convergence is thus either under 
the responsibility of robots at the larger point of multiplicity or those at the smaller one (or 
both). 

This observation is exploited by Algorithm GoToBorder2 (G2B2) that is presented as 
Algorithm 2, that tries the two possible cases to ensure its proper functioning when confronted 
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to any cautious algorithm. The algorithm forms the larger point of multiplicity at B at one 
cycle, and the next cycle at X. Thus, point X will be the larger point of multiplicity one time, 
and the smallest one the next time. This implies that the robots of SetX must move towards 
B at least once every two cycles. So by repeatedly alternating between the two configurations 
where robots of SetX are successively the set of larger and smaller multiplicity, the adversary 
ensures that they end up moving towards B. The fully asynchrony of the scheduler ensures 
that they are activated as many times as it takes to move them as close to B as wanted, 
provided that the algorithm terminates. 

Algorithm 2 GoToBorder2 (G2B2) 

Input: Border: the border towards which the robots of SetX move (equal to A or B). 
Input: d: a distance. 

Actions: 

Place (n — 3/ + l)/2 Byzantine robots at Border. 
Place (5/ — n — l)/2 Byzantine robots at X. 
while distance{X , Border) > d do 

Activate simultaneously all robots at X and make them move to their computed destination D. 

X ^ D. 

Move a Byzantine robot from Border to X. 

Activate simultaneously all robots at X and make them move to their computed destination D. 

X ^ D 

Move' a Byzantine ro})ot from X to Border. 
end while 



Lemma 3.3 If{n—f) is odd, < distance{A, B), \/ Border G A, B, algorithm G2B2{Border, d) 
terminates. 

We are now ready to prove Fact2. 

Lemma 3.4 For n < 5/, Vd < distance{A, B), if the robots run a cautious convergence 
algorithm, the fully distributed scheduler is able to move the robots of SetX into a position 
>B-dor<A + d. 

Proof: The proof follows directly from Lemmas 3.2 and 3.3. □ 

The Split function The purpose of Algorithms G2B\ and G2B2 is to push the intermedi- 
ate robots of SetX as close the adversary want to the extremities of the network. For ease of 
the description, we assume in what follows that the adversary want to push them towards the 
extremity B. These two routines arc then used by the adversary to prevent the convergence of 
the algorithm. For the algorithm of the adversary to work, it is necessary to keep the robots of 
SetA, SetB and SetX separated from each other and to avoid for example that the robots of 
SetX merge with those of SetB and form a single point of multiplicity. Yet, functions G2B1 
and G2B2 cannot prevent such a situation to appear because the destinations are computed 
by the convergence algorithm which can order the robots to move exactly towards B. If the 
distance to travel is too small {distance{X, B) < Si for all i G SetX), then the adversary 
can not stop the robots of SetX before they arrive at B. To recover from this situation and 
separate the robots that have merged, we define a new function Split{Set, Border) which 



8 



separates the robots of Set from those located at Border. For example, Split{SetX, B) sepa- 
rates the robots of SetX from those of SetB by directing them towards A. Lemma 3.5 is used 
to prove that function Split performs as planned. Let N he a network of n robots divided 
between two positions A and B. let p and q be the number of robots at A and B respectively. 
These robots are endowed with a cautious convergence algorithm that tolerate the presence 
of up to / Byzantine robots. Lemma 3.5 proves that if a robot in ^ or i? is activated, it 
cannot remain in its position and moves toward the robots located in the other point. 

Lemma 3.5 If\p—q\ > /, then if a robot at A (resp. B) is activated, its destination computed 
by any cautious convergence algorithm lays inside {A, B] (resp. [A,B)). 

We now present Function Split (Set, Border) that is presented as Algorithm 3. We first 
define Max6 as max{6i/i is a correct robot} such that 6i is the minimum distance that can 
be traveled by a robot i before it may be stopped by the adversary. This means that if a 
group of robots (SetX in our case) are distant from their destination by more than MaxS, 
the adversary is able to stop them all before they reach their destination. Notice now that 
in the setting of network N described in Figure 1, Set A and SetB contain each exactly / 
correct robots. If robots of SetX merge with those of SetB for example, they form a set of 
n — 2/ correct robots colocatcd in the same multiplicity point. By placing all the Byzantine 
robots at A, this location contains a set of 2/ robots. The difference between the two sets 
of robots in A and B is lower or equal to / (because < n < 5/). Then if we activate the 
robots of SetX (which are located at B), they will move towards A according to Lemma 3.5. 
By stopping these robots once they all travelled a distance equal to Max5 or reached they 
destination before, we ensure that the three sets SetA^ SetX and SetB are disjoint, because 
the initial distance between A and B is > MaxS. 

Algorithm 3 Function Split(Set, Border) 
Require: distance{A, B) > MaxS 

Variables: 

Input: Border: is equal to A or to B. 

Input: Set: the set of robots to move away from Border. 

OppositeBorder: is equalt to B if the input Border is equal to A, and vice versa. 
Actions: 

Place all Byzantine robots in OppositeBorder. 

Activate the robots of Set, and stop them at a point MaxS away from Border. 



The fully asynchronous scheduler algorithm 

Theorem 3.6 In the ATOM model, the problem of Byzantine resilient convergence is impos- 
sible to solve with a cautious algorithm under a fully asynchronous scheduler. 

Proof: We prove that for network N, there can be no cautious convergence algorithm 
for n < 5/ if the robots are activated by a fully asynchronous scheduler. The algorithm of 
the adversary is given as Algorithm 4 and it can prevent any cautious algorithm to converge. 
Indeed, if the initial distance between robots at A and B is equal to d, then these robots will 
always remain distant from each other by a distance at least equal to 6d/10. The proof of 
algorithm 4 follows directly from Lemmas 3.1, 3.4 and 3.5. □ 
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Algorithm 4 Adversary Algorithm 



Require: distance{A, B) > Max6 
Definitions: 

do: any distance that is strictly smaller than distance{A, B) / 4, let do ^ distance{A, B) / 10. 

G2B {Border, d): equal to G2B1{B order, d) if n — / is even and equal to G2B2{B order, d) if n — f 

is odd 

Actions: 
while true do 

G2B{A,do). 

Activate the robots at A. 

if the robots of SetX are at A, then Split{SetX, A). 
G2B{B,do). 

Activate the robots at B. 

if the robots of SetX are at B, then Split{SetX,B). 
do ^ do/2 
end while 



4 Deterministic Asynchronous Convergence 

In this section, we propose a deterministic convergence algorithm and prove its correctness in 
CORDA model under a fully asynchronous scheduler when there are at least 5/ + 1 robots, 
/ of which may be Byzantine. 

Algorithm Description The idea of our algorithm is based on three mechanisms: (1) a 
trimming function for the computation of destinations, (2) location dependency and (3) an 
election procedure. The purpose of the trimming function is to ignore the most extreme 
positions in the network when computing the destination. Robots move hence towards the 
center of the remaining positions. Consequently, the effect of Byzantine robots is canceled 
since they cannot drag the correct robots away from the range of correct positions. 

Location dependency affects the computation of the trimming function such that the re- 
turned result depends on the position of the calling robot. This leads to interesting properties 
on the relation between the position of a robot and its destination that are critical to conver- 
gence. The election procedure instructs to move only the robots located at the two extremes 
of the network. Thus, by the combined effect of these three mechanisms, as the algorithm 
progresses, the extreme robots come together towards the middle of the range of correct 
positions which ensures the eventual convergence of the algorithm. 

The algorithm uses three functions as follows. The trimming function trim2f{) removes 
among the 2/ largest positions of the multiset given in parameter only those that are greater 
than the position of the calling robot i. Similarly, it removes among the 2/ smallest positions 
only those that are smaller than the position of the calling robot. It is clear that the output of 
trirriyO depends on the position of the calling robot. Formally, let minindexi be the index 
of the minimum position between Pi{t) and P^f+iit) (if Pi{t) < P2/+i(i) then minindexi 
is equal to i, otherwise it is equal to 2f + 1). Similarly, let maxindexi be the index of the 
maximum position between Pi{t) and Pn-2f{t) (if Piit) > Pn-2f{t) then maxindexi is equal 
to i, otherwise it is equal to n — 2/). trim2j{P{t)) is the multiset consisting of positions 

{Pminindexiit) 1 Pminindexi+lit) i ■ ■ ■ i Pmaxindexi 
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The function centerQ simply returns the median point of the input range. The two 
functions arc illustrated in Figure 2). 

The election function returns true if the calling robot is allowed to move. Only the robots 
that are located at the extremes of the networks are allowed to move, that is those whose 
position is either < Pf^i{t) or > Pn-f{t). 



Figure 2: Illustration of functions trim\^ and center for robots A in a system of (n = 16, / = 
3) robots. 



Algorithm 5 Convergence Algorithm under a fully asynchronous Scheduler 
Functions: 

trim\^{P(t)): removes up to 2/ largest positions that are larger than Pi{t) and up to 2/ smallest 
positions that are smaller than Pi{t) from the multiset P{t) given in parameter. 
center{): returns the point that is in the middle of the range of points given in parameter. 
electedQ = {{Pi{t) < Pf+i{t)) or {Pi{t) > Pn-f{t))). This function returns true if the calling robot 
is allowed to move. 

Actions: 

if electedQ move towards center {trim2f{P{t))) 



By definition, convergence aims at asymptotically decreasing the range of possible posi- 
tions for the correct robots. The shrinking property captures this property. An algorithm is 
shrinking if there exists a constant factor a G (0, 1) such that starting in any configuration 
the range of correct robots eventually decreases by a multiplicative a factor. Note that to 
deal with the asynchrony of the model, the diameter calculation takes into account both the 
positions and destinations of correct robots. 

Definition 4.1 (Shrinking Algorithm) An algorithm is shrinking if and only if 3a G 

(0,1) such that\ft,3t' > t, such that diam{U{t')U D{t')) < a*diam.{U{t)U D{t)), where U{t) 
and D{t) are respectively the the multisets of positions and destinations of correct robots. 

A natural way to solve convergence is to never let the algorithm increase the diameter of 
correct robot positions. In this case the algorithm is called cautious. This notion was first 
introduced in [7] . A cautious algorithm is particularly appealing in the context of Byzantine 
failures since it always instructs a correct robot to move inside the range of the positions held 
by the correct robots regardless of the locations of Byzantine ones. The following definition 
introduced first in [1] customizes the definition of cautious algorithm proposed in [7] to robot 
networks. 

Definition 4.2 (Cautious Algorithm) Let Di{t) he the last destination calculated by the 
robot i before time t and let U^{t) the positions of the correct robots as seen by robot i before 
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time t. ^ An algorithm is cautious if it meets the following conditions: (i) cautiousness: 
Vt, Di{t) € range(U^{t)) for each robot i, and (ii) non-triviality: \/t, if diameter {U{t)) 7^ 
then 3i' > t and a robot i such that Di{t') 7^ Ui{t') (at least one correct robot changes its 
position whenever convergence is not achieved). 

Theorem 4.1 [1] Any algorithm that is both cautious and shrinking solves the convergence 
problem in faulty robots networks. 

In the appendix we prove the correctness of Algorithm 5 in the CORDA model under a 
fully asynchronous scheduler. In order to show that Algorithm 5 converges, we prove first 
that it is cautious then we prove that it satisfies the specification of a shrinking algorithm. 
Convergence then follows from Theorem 4.1. 

5 Concluding remarks 

Our work closes the study of the convergence problem for unidimensional robot networks. 
We studied the convergence problem under the most generic settings: asynchronous robots 
under unbounded adversaries and byzantine fault model. We proved that in these settings 
the byzantine resilience lower bound is 5/ + 1 and we propose and prove correct the first 
deterministic convergence algorithm that meets this lower bound. We curently investigate 
the extension of the curent work to the multi-dimensional spaces. 
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Appendix 



Proof of Lemma 3.1 

Proof: We prove the lemma only for the case when all Byzantine robots are inside [^4, X], 
and we denote the corresponding configuration by Ci (see Figure 1). The case where all 
Byzantine robots are inside [X, B] is symmetric. 

I 

AX B 

Figure 3: Illustration of Lemma 3.1, configuration C2 

Let C2 (see Figure 3) be a similar configuration of n robots where the distribution of 
positions is isomorphic to that of Ci, but where the correct and Byzantine robots are located 
differently: all robots at B are byzantine (there are / such robots), and all robots inside 
[A, X] are correct. Since the robot convergence algorithm is cautious, the diameter of correct 
robots in C2 must never decrease, and then all their calculated destination points must lay 
inside [^, X]. Since Ci and C2 are indistinguishable to individual robots of Set A, the Look 
and Compute phases give the same result in the two cases, which proves our lemma. □ 

Proof of Lemma 3.2 

Proof: We prove the Lemma by contradiction. We assume that the algorithm does not 
terminate for a given input distance do, and we prove that this leads to a contradiction. 
We consider only the case where Border = B, the other case being symmetric. The non- 
termination of the algorithm implies that there exists some distance di < do such that robots 
at X and B always remain distant by at least di from each other, even if robots at X are 
activated indefinitely. 

Note that the placement of Byzantine robots in G2B1 implies that initially, and for 
n < 5/, the number of robots located at X and B is the same and is equal to (n — /)/2 as 
illustrated in Figure 4. (a). We denote by Ci the resulting configuration. We now construct a 
configuration C2 (see Figure 4.(5)) that is isomorphic to Ci but with a different distribution of 
Byzantine and correct robots: correct robots are divided equally between X and B, (n — /)/2 
correct robots at X and {n — f)/2 others at B. By hypothesis, these robots are supposed to 
converge to a single point (located between X and B as the convergence point is computed 
by a cautious algorithm). 

The placement of Byzantine robots and the choice of activated robots at each cycle is 
divided into two parts. During even cycles, Byzantine robots are placed at point A and 
robots located at X are activated. During odd cycles, the scheduler constructs a strictly 
symmetrical configuration by moving Byzantine robots from ^ to a point E with E > B and 
distance{B , E) = distance{A, X) . In this case, the scheduler activates robots at B. 

In these conditions, activating robots at X ensures that they always remain at a distance 
of at least di from those located at B (as in configuration Ci). Indeed, configurations Ci and 
C2 are equivalent and completely indistinguishable to individual robots which must behave 
similarily in both cases (as the algorithm is deterministic). And by symmetry, the activation 
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AX B AX BE 

(a) Configuration Ci for (b) Configuration C2 for (n = 13, / = 

(n = 13, / = 3) 3) 



Figure 4: Illustration of lemma 3.2 (Fact2, (n — /) even) 

of robots at B during odd cycles also ensures that minimum distance of di between the two 
groups of robots. Hence, robots at X and B remain separated by a distance of at least di 
forever even if activated indefinitely, which prevents the convergence of the algorithm and 
leads to a contradiction. This proves our Lemma. □ 

Proof of Lemma 3.3 

Proof: We consider in our proof only the case when Border = B since the other case is 
symmetric. The placement of Byzantine robots in G2B2 is such that the multiplicity of X 
exceeds that of 5 by 1 during even cycles, and lowers it by 1 during odd cycles. We denote by 
Co the initial configuration (in which the multiplicity of X is less than of S by 1 as illustrated 
in Figure 5. (a)). 

We assume for the purpose of contradiction that G2B2 does not terminate for some input 
distance do. This means that robots of SetX and SetB remain always distant from each others 
by a distance at least equal to di with di being some distance < do. The resulting execution 
in this case is denoted by Eo = {Co, Ci, C2, C3, ...}. A configuration Cj+i is obtained from Ci 
by activating robots at X, letting them execute their Move phases, and moving one Byzantine 
robot from X to B or vice versa. 




AX B AX BE 



(a) Initial configuration Co (b) Initial configuration C'o for (n = 

for (n = 12, / = 3) 12, / = 3) 

Figure 5: Illustration of lemma 3.3 (Fact2, (n — /) odd) 

We construct a configuration Cq equivalent to Cq but where correct robots are divided 
between X and B withL(n — /)/2j robots at X and \{n — f )/2] robots at B (see Figure 5.(5)) 
. By definition, these robots must converge to a point between X and B since they are 
endowed with a cautious convergence algorithm. Byzantine robots are at A. Since Cq and 
Co are equivalent, the activation of robots at X and the displacement of Byzantine robots to 
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the right of B will produce a configuration C[ that is equivalent to Ci by symmetry. 

This time, activated robots are those at B. By moving them to their calculated destination 
points and by moving Byzantine robots again to the left of X the scheduler can form a 
configuration which is equivalent to C2. 

This process can be repeated: during odd cycles, Byzantine robots are at the left of X 
and robots at X are activated. During even cycles, the situation is symmetrical: Byzan- 
tine robots are to the right of B and robots at B are activated. The obtained execution 
Eq = {Cq, C{, C2, C3, ...} is equivalent to £'0, and robots at X and B remain separated by 
a distance at least equal to di forever even if they are activated indefinitely. This prevents 
the convergence of the convergence protocol while ensuring fairness of activations, which 
contradicts the assumptions and proves our Lemma. □ 

Proof of Lemma 3.5 

Proof: Let Ci be the initial configuration, and consider the computed destination by an 
activated robot located at A (the case of a robot located at B is symmetric). Since the 
algorithm is cautious, this destination point is necessarily located inside [A, S]. For the 
lemma to be correct, it suffices to prove that this destination is different from A. In other 
words, we must prove that the robot moves towards B upon its activation. So assume for the 
sake of contradiction that it is not the case, that is, the computed destination is A and let us 
separate the analysis into three cases depending on the relationship between p and q: 

• Case 1 {p > q): Let C2 be a configuration isomorphic to Ci with the following place- 
ment of robots: At A there are min{f,p) Byzantine robots and p — min{f,p) corrects 
ones, and at B are located f — min{f,p) Byzantine robots and q — f + min{f,p) corrects 
ones. Since Configurations Ci and C2 are indistinguishable to individual robots, the 
destinations computed in the two cases are the same. So when the robots at A are ac- 
tivated, they do not move. The next cycle, the adversary moves p — q Byzantine robots 
from A to i? to obtain a configuration C3 symmetric to C2. This time, the adversary 
activates the robots at B which do not move either since C2 and C3 are symmetric. 
Then, the adversary brings the p — q Byzantine robots to A to get again the configura- 
tion C2 and then activates the robots at A. The process repeats, and by placing these 
p — q Byzantine robots in one cycle at A and the next cycle at B, the adversary prevents 
the convergence of the algorithm. This is a contradiction. 

• Case 2 {p < q): We can reach a contradiction by using an argument similar to Case 1. 

• Case 3 (p = q): If the activated robots at A do not move upon their activation, it is 
also the case at B since the configuration is symmetric. This prevents the convergence 
of the algorithm and leads also to a contradiction. 

Consequently, the lemma is proved. □ 

Proof of Algorithm 5 
Algorithm 5 is cautious 

In this section we prove that Algorithm 5 is a cautious algorithm (see Definition 4.2) for 
n > 5/. The following lemma states that the range of the trimmed multiset trim\^{P{t)) is 
contained in the range of correct positions. 
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Lemma 5.1 Let i be a correct robot executing Algorithm 5, it holds that 

yt,range{trim2f{P{t))) C range{U{t)) 

Proof: We prove that for any correct robot, i, the foUowing conditions hold: 

1. yt, min{trim\f{P{t))) G range{U{t)). 

2. Vt, 'max{trim2^{P{t))) £ range{U{t)). 

1. By definition, min[trim2j{P{t))) = min{Pi{t), P2f+i{t)}. Hence proving Property (1) 
reduces to proving Pi{t) G range{U{t)) and P2/+i(^) £ range{U{t)). 

(a) Pi{t) G range{U{t)) directly follows from the assumption that robot i is correct. 

(b) P/+i(t) £ range{U{t)). Suppose the contrary: there exists some time instant t 
such that P2f+iit) ^ range{U{t)) and prove that this leads to a contradiction. If 
P2f+i{t) i range{U{t)) then either P2f+i{t) < Ui{t) or P2f+i{t) > U^{t). 

i. If P2/+i(i) < Ui(t) then there are at least 2/ + 1 positions {Pi{t), P2it), 

P2f{t), P2f+i{t)} that are smaller than Ui{t) which is the first correct 
position in the network at time t. This means that there would be at least 
2/ + 1 byzantine robots in the system. But this contradicts the assumption 
that at most / byzantine robots are present in the system. 

ii. If P2f+i{t) > Um{t) then since n > 5f there are more than 3/ positions 
{P2f+i{t), ...,Pn{t)} that are greater than Um{t), which is the last correct po- 
sition in the system at time t. This also leads to a contradiction. 

2. The property is symmetric to 2) and can be proved using the same argument. 

□ 

A direct consequence of the above property is that correct robots always compute a 
destination within the range of positions held by correct robots, whatever the behavior of 
Byzantine ones. Thus, the diameter of positions held by correct robots never increases. 
Consequently, the algorithm is cautious. The formal proof is proposed in the following lemma. 

Lemma 5.2 Algorithm 5 is cautious for n > 5f. 

Proof: We have to prove the two properties of cautious algorithms, namely cautiousness 
and non-triviality. 

Cautiouness: We start by the cautiousness property of our algorithm. According to 
Lemma 5.1, range{trim2^{P{t))) C range{U {t)) for each correct robot i, thus center {trim'2f{P{t))) G 
range{U{t)). It follows that all destinations computed by correct robots are located inside 
range{U{t)) which proves the cautiousness property. 

Non-triviality: By fairness, the robots at positions Ui{t) and Um{t) are guaranteed 
to be eventually elected irrespective of the positions of byzantine robots. And at least one 
of them will move unless all correct robots are colocated in the same point.This proves the 
non-triviality condition. 

□ 
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5.0.1 Algorithm 5 is Shrinking 

The following lemma proves that the only robots that can be elected are those located at 
the extremes of the network, namely those whose position is either less equal than ?7j_|_i(f) 
or greater equal than Um-f{t)- The activation of these robots move them away from the 
extremes of the network, thereby reducing the diameter of positions held by correct robots 
which leads to convergence. 

Lemma 5.3 If some correct robot i is activated at time t, then either Ui{t) < ?7/+i(t) or 
Ui{t) > Um-f(t) where m is the number of correct robots in the network and Ui{t) denotes 
the position of correct robot i at t; 

Proof: By definition of the algorithm, a robot is activated only if its position is either 
< Pf^i{t) or > Pn-f{t). To prove the lemma, it suffices then to show that < Uf^i{t) 

and Pn-f{t) > Um-f{t): 

To prove that P/-_|_i(i) < Uf+i{t), we suppose to the contrary that Pf^i{t) > Uf^i{t). In 
this case, P/+i(t) would be strictly greater than all the positions {C/i(t), C//+i (t)}, which 
contradicts the definition of P/-_|-i(t) as the (/ + l)-th position in the network. This proves 
that < Uf-^-l{t) and the same argument is used to prove that Pn-f{t) > Um-f{t), 

since the two cases are symmetric. 

□ 

The following lemma proves an important property on the relationship between the posi- 
tion of a robot and its computed destination. Indeed, knowing the position Ui{t) held by a 
correct robot i at time it is possible to give bounds on the possible value of its destination 
point Di (t) . Interestingly, this bound holds irrespective of the positions of Byzantine robots 
and the actions of the adversary. 

Formally, consider any initial configuration at time t^, such that U{tQ) and D(to) are 
respectively the multiset of positions and destinations of correct robots at time to- Define 
UD{to) to be the union of U{to) and D{to). By considering the cycles started by correct 
robots after to, the following property holds: 

Lemma 5.4 For each correct robot i that starts a cycle after to, the following inequalities 
hold: 

^ Ui{t) + MiniUD{to)) Ui{t)+Max{UD{to)) , 

^ I. o ' o i 



Proof: The proof is twofold. First, we show that (1) Di{t) > {Ui{t) + Min{UD{to)))/2. 
Then, we prove the symmetric property (2) Di{t) < {Ui{t) + Max{UD{to)))/2. 

1. Di{t) > {Ui{t) + Min{UD{to)))/2 : 

Assume towards contradiction that for some robot i that start a cycle at time ti > to, 
there exists a time t > ti in this cycle such that: 

^^^^^ ^ Uiit) + miniUDito)) 

Note that Ui{ti) > Ui{t) because if robot i moves between ti and t, it becomes closer 
to its destination Diit). Thus: 

^^^^^ ^ Ui{ti)+min{UD{to)) _ _ _ 
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This means that distance{min{UD{to)), Di{t)) < distance{Di{t),Ui{t)). Denote by d 
the distance between Ui{ti) and Diit). Note that Di{t) < Ui{ti). 

The computation of Di{t) by i is based on the configuration of the network as last seen 
by robot i. That is, the configuration of the system at the beginning of its cycle P{ti). 
This implies that: 

Di{t) = center{trimif{P{ti))) ... (2) 
We prove that (1) and (2) combined lead to a contradiction. 

The location dependency property of the trimming function implies that Ui{ti) G 
trimij:{P{ti)). 

So, up to this point we proved that there exists a point Ui{ti) G trim\^{P{ti)) such 
that Ui{ti) > Di{t) and distance{Ui{ti), Di{t)) = d. 

But since by (2), Di{t) is the center of trim2jr{P{ti)), there must exists another point 
q G trimy{P{ti}), such that q < Di{t) and distance{q, Di{t)) = d. 

But we observed from (1) that distance{min{UD{to)), Di{ti)) < d, which implies that 
distance{'min{U D{to)), Di(ti)) < distance{q, Di{t)). This means that 5 < min{UD{tQ)). 
But q G trim\j:{P{ti)), so rnin{trim\j{P{t\))) < min{UD{to)). This contradicts lemma 
5.1, which proves the first part of our lemma. 

2. (2) Di{t) < {Ui{t) + Max{UD{to)))/2 : The property is symmetric to (1) and can be 
proved using the same argument. 

□ 

Let 5 be a subset of correct robots, and define UDs{t) to be the multiset of their positions 
and destinations at time t. 

Lemma 5.5 // \S\ > m — 2/ and there exists a time ti > to such that for each t > ti, 
max{UDs{t)) < max{UD{tQ)) — b, then all computed destinations by all correct robots in 
cycles that start after ti are < max{UD{to)) — 6/2. 

Proof: Let i be any correct robot that computes its destination Dj in a cycle started after 
ti, say at t. We prove in the following that Di < max{UD{to)) — 6/2: 

First, observe that since max{U Dsit)) < max{UD{to)) — b and |5| > m — 2/ > 2/, then 

min{Trimif{P{t)) < max{UD{to)) - b 

Otherwise, min(Trirn2j:{P{t)) would be greater than all the positions in S (> 2/ po- 
sitions), which contradicts the definition of Trim\^ (at most the 2/ smallest positions are 
removed) . 

According to lemma 5.1, we have 

m.ax{Trim\f{P{t)) < m.ax{UD{tQ)) 
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But Di is the center of trim2f{P{t)), which means that distance{Di, min{trim\j^{P{t)))) 
must be equal to distance{Di^max{tri'm\^{P{t)))). Hence, 

Di < max{UD{to)) - 6/2 

□ 

Lemma 5.6 If \S\ > m — f and at some time ti > to, max(UDs{ti)) < max(UD{to)) — b, 
then all computed destinations by all correct robots in cycles that start after ti are less or 
equal to max{UD{to)) — 5/2. 

Proof: First, we prove that after ti, the robots in 5* remains always at positions < 
max{UD(to)) — b, meaning that all their computed destinations after ti are < max{UD(to)) — 
b. 

Assume the contrary: Let i be the first robot in S that starts a cycle after ti such that its 
computed destination in this cycle is > max{U D[tQ))—b. This implies that maa;(trim2j(i^(ti))) > 
max{U D{to)) — b, which means that at least 2/ + 1 positions in the network at ti are strictly 
greater than max{UD{to)) — b. 

If we add to these 2/+1 positions that are greater than max{U D{tci))~b, the m—f > n—2f 
positions in S that are less or equal than max[U D{tQ)) — b, we get a total number of robots in 
the network that is strictly greater than n, which leads to contradiction. This proves that all 
positions and destinations of robots in S after ti are less than or equal to max{UD{to)) — b. 
Thus by lemma 5.5, the destinations computed by all correct robots in the network are less 
than or equal to max{UD{to)) — 6/2. 

□ 

The next Lemma states that if some computed destination is located in the neighborhood 
of one extreme of the network, then a majority of correct robots (at least m — 2/) are located 
in the neighborhood of this extreme. 

Lemma 5.7 Let Di be a destination point computed by a correct robot i in a cycle started at 
time t. If Di < m,in{UD{t)) + b, then at least m — 2f correct robots are located at positions 
that are < miniJJ D{t)) + 26 at t. 

Proof: The computation of Di is based on the configuration of the network as last seen 
by robot i, that is the configuration at the beginning of the cycle at i, P{t). So we first prove 
that at t, max{trim}y{P{t))) < min{UD{t)) + 26: 

By hypothesis, Di < min{UD{t)) + 6. But according to lemma 5.1 , min{UD{t)) < 
min{trim\f{P{t))). Thus, Di < min{trim\j{P{t))) +6. This means that 

distance{Di,min(trim\j:{P(t)))) < 6 

But Di is the center of trim2j{P{t)), which means that distance{Di,min{trim2^{P{t)))) 
must be equal to distance{Di,max{trim\^{P{t)))). Hence, 

max{trim\f{P{t)))) < Di + b 
But since by hypothesis Di < min{U D{t)) + 6, we have 

max{trimif{P{t)))) < min{UD{t)) + 26 
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This means that at most 2/ positions (which may be correct) are > min{U D{t)) + 26 at 
t. This completes the proof. 

□ 

Let U{tQ) and D{to) be respectively the multisets of positions and destinations of correct 
robots at the initial time Iq^ and define UD{tQ) to be the union of U{to) and D{to). Take b 
to be any distance < diameter [U D [to)) / A, for example b = diameter {UD (to))/ 10. 

The next lemma states that if a correct robot elected at t > to is located inside the range 
{min{U D(to)) + b, max{U D{to)) — b), then the destinations points computed by correct robots 
after t are either all < max{UD{to)) — 6/4 or all > min{UD{tQ)) + 6/4. This means that the 
election of a robot located inside {min{UD{to)) + b,max{UD{to)) — b) is a sufficient condition 
to convergence. 

Lemma 5.8 Let ti be the first time at which all correct robots in the network executed a 
complete cycle at least once since to- 

// a correct robot is elected att>t\ and is located inside [min(U D{to))+b, max{UD(to)) — 
6] , then the destination points computed by correct robots in cycles that start after t are either 
all located at positions < max{UD(to)) — b/A or all located at positions > min{UD{tQ)) + b/A. 

Proof: 

Let i be a correct robot that is elected at time t > ti and whose position Ui{t) is inside 
[min{UD{to)) + b,max{UD{to)) — b]. According to lemma 5.3, either Ui{t) > Um-f{t) or 
Ui{t) < Uf^i{t). Thus, we separate the analysis into two cases depending on the rank of the 
elected robot: 

• Case 1: Ui{t) > Um-f{t). 

Define S{t) to be the set of correct positions {C/i(t), C/^_/(t), ?7i(t)}, and note 

that \S{t)\ >m- f. 

By hypothesis, Ui{t) < max{UD{t)) — 6 which implies that the positions of all robots 
in S{t) are < min{UD(t)) + 6. Thus by lemma 5.4, the destinations of all robots in 
S{t) are < max{UD{to)) — 6/2. This means that ranges{t), the range of positions and 
destinations of robots in S{t) is such that at t, max{ranges{t)) < m,ax{UD{tQ)) — 6/2. 
Hence, according to lemma 5.6, all destinations points computed by correct robots in 
cycles that start after t are < max{UD(to)) — 6/4. 

• Case 2: Ui(t) < Uf+i{t). 

The case is symmetric and we prove by a similar argument to Case 1 that all destination 
points computed by correct robots are > min{UD{to)) + 6/4, which proves our lemma. 

□ 

Lemma 5.9 Algorithm 1 is shrinking in CORDA model under a fully asynchronous scheduler 
when n > 5f. 

Proof: 

Let U^to) = {Uiito), Umito)} be the configuration of correct robots at initial time to, and 
let D{to) = {Di{to), ...,Djn{to)} the multiset of their destinations at to. Define UD{to) to be 
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the union of U{to) and D{to), and let diam{tQ), the diameter at to, be equal to max{UD(to)) — 
min{UD(tQ)). U{t), D{t), UD{t) and diam(t) for each t > to ■'-re defined similarly. 

Let ti be the first time at which every correct robot in the network has executed a whole 
cycle at least once since to. We consider the evolution of the network after ti. The aim of 
this is to apply lemma 5.4, that is, based only on the position of a correct robot, we can give 
bounds on its destination point which is especially interesting in the case of a robot executing 
a Move phase of its cycle. 

We take into account all the computed destinations by correct robots after ti and we 

distinguish between two cases: (1) the case when all destinations computed after ti are inside 

r ■ ^rrr^/ \\ diamUo) /ttt-./ x\ diam(to), , /„x , , , 

[rmn{UD{tQ)) H — -,max{UD{to)) — ^J. and (2) the case when a computed 

destination after ti lay outside this range. We show that in both cases, there is a time at 
which the diameter of correct positions decreases by a factor of at least 39/40. 

• Case 1: All destinations computed by correct robots in cycles started after ti are inside 
the range 

[min{UD{to)) + diam{to)/ 10, max {UD (to)) - diam{to)/10]. 

In this case, since each robot i is guaranteed to move a minimal distance of di before 
it can be stopped by the adversary, there is a time t2 > h when all correct robots 
are located inside [min{UD{to)) + diam{to) / 10, max {UD (to)) — diam{to)/10]. Thus 
diam{t2) = diam(to) * 4/5, and by setting a = 4/5, our algorithm is shrinking. 

• Case 2: There is a destination Di, computed by a correct robot z in a cycle started 
after ti, that is outside the range 

[min{UD{to)) + diam{to)/ 10, max {UD (to)) - diam{to)/10]. 

This means that either Di < min{UD{tQ)) + diam{tQ) /lO or Di > max{UD{tQ)) — 
diam{to) /lO. Since the two cases are symmetric, there is no loss of generality to assume 
that Di < min{UD{to)) + diam{to)/10. 

The calculation of Dj is based on the configuration of the network as seen by robot i at 
the beginning of the cycle, say at t2 (with t2 > h). Thus, according to lemma 5.7, at 

t2, at least m — 2f correct robots are located at positions < min{UD{to)) + diam{tQ)/5. 
Denote by S{t2) the set of these robots. By lemma 5.4, the destinations of robots in 
S{t2) are < min{UD{to)) + diam{to) * (3/5). Thus, the positions and destinations of 
robots in S{t2) are < max{UD{to)) — diam{to) * 2/5. 

We now observe the positions of elected robots whose rank is < / + 1 and which are 
activated after t2- We separate the analysis into two subcases: 

— Subcase 2A: There is a time t > t2 at which is elected a correct robot i whose 
rank is < / + 1 and whose position Ui{t) is > min{UD{to)) + diam{to) /lO. No- 
tice that since |«S'(t2)| > m — 2f, Ui{t) is also < max{UD{to)) — diam{tQ) * 2/5 
which is the upper bound on the positions of robots in 5(^2)- Thus, Ui{t) G 
[min{U D {to)) +diam{to)/ 10, max {UD {to))— diam{to)/ 10] and according to lemma 
5.8, the diameter eventually decreases by a multiplicative factor of 1 — 1/40. Hence, 
by setting a = 39/40 the lemma follows. 
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— Subcase 2B: All elected correct robots that arc activated after t2 and whose rank 
is < / + 1 are located at positions < min{U D{tQ)) + diam{tQ)/W. This implies, 
according to lemma 5.4, that the positions of these elected robots remain always 
at positions < max{UD{to)) — diam(to) * 9/20. Thus, all robots in S{t2) remain 
always at positions < max{UD{to)) — diam{to) * 9/20 (Vt > t2)- 

According to lemma 5.5, all destinations computed at cycle that start after t2 
are < max{UD{tQ)) — diam{tQ) * 9/40. And since robots are guaranteed to move 
toward destinations by a minimum distance before they can be stopped by the 
adversary, they all end up located at positions < max{UD{to)) — diam{to) * 9/40. 
Hence there is a time t > t2 such that diam{t) = diam{to) * (1 — 9/40). It suffices 
to set a = 31/40 and the lemma follows. 

Consequently, we set a = 39/40 and the lemma is proved. □ 
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